b'Office of Inspector General\nU.S. Department of Labor\nOffice of Information Technology Audits\n\n\n\n\n                      DOLAR$ APPLICATION\n                       CONTROL REVIEW\n\n                       Department of Labor\n                 Office of Chief Financial Officer\n\n\n\n\n                                          Report Number:   23-02-003-13-001\n                                          Date Issued:     March 29, 2002\n\x0c               U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                            DOLAR$ Application Review\n\n\n                                                Table of Contents\n\n\nExecutive Summary......................................................................................................... 1\n\nBackground ....................................................................................................................... 3\n\nObjective, Scope and Methodology............................................................................... 4\n\nFindings and Recommendations ................................................................................... 7\n\n     1.         Security management of DOLAR$ is weakened by a lack of policies\n                and procedures and effective monitoring and maintenance of user\n                accounts. .......................................................................................................... 7\n\n                A. User Account Management .................................................................... 7\n\n                B. Technical Controls ................................................................................. 10\n\n     2.         The accuracy, completeness and integrity of the information processed\n                and stored by the DOLAR$ application is weakened by inadequate\n                application functionality............................................................................. 12\n\n                A. Application Audit Trails....................................................................... 12\n\n                B. Vendor Maintenance ............................................................................. 14\n\n                C. Prior Month Posting Observation........................................................ 16\n\n                D. Dollar Amount of Transactions............................................................ 17\n\nAcronyms ........................................................................................................................ 19\n\x0c         U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                      DOLAR$ Application Review\n\n\n\n                            Executive Summary\nThe Office of Inspector General (OIG) conducted a review of the automated\ncontrols over the Department of Labor Accounting and Related Systems\n(DOLAR$) application. The information contained in the report can be used as\ninput by Department of Labor\xe2\x80\x99s (DOL) application accrediting authority for the\ncertifying and accrediting of the DOLAR$ application.\n\nAt the beginning of the review, data flow diagrams (DFDs) for the Core,\nAccounts Payable and Accounts Receivable subsystems of DOLAR$ were\ncreated. These DFDs documented the critical processes and location of key\ncomputer-related controls. Using information from the DFDs, a matrix for\ntesting and evaluating specific controls was created and approved. These critical\nprocesses and controls were tested in the areas of (1) Access, (2) Input, (3)\nProcessing, (4) Rejection, and (5) Output.\n\nIn summary, we found two main areas for concern:\n\n   1. Security management of DOLAR$ is weakened by a lack of policies and\n      procedures and effective monitoring and maintenance of user accounts\n      (Access Controls). More specifically, we identified the following:\n         \xc2\xa7 user account management weaknesses (i.e., security policies and\n             procedures have not been implemented, users\xe2\x80\x99 access levels not\n             commensurate with their assigned job responsibilities and user IDs\n             for security users have not been adequately established to provide\n             accountability and to prevent incompatibility in duties); and\n         \xc2\xa7 technical control weaknesses over user access and password\n             management.\n\n   2. The accuracy, completeness and integrity of the information processed\n      and stored by the DOLAR$ application is weakened by inadequate\n      application functionality (Input, Processing and Rejection Controls). More\n      specifically, we identified the following:\n         \xc2\xa7 DOLAR$ audit trail only retains the last change in the record edit\n             history;\n         \xc2\xa7 Vendor Maintenance Table is not being adequately controlled;\n         \xc2\xa7 prior month posting capabilities do not provide adequate controls\n             to prevent transactions from posting to the incorrect period; and\n         \xc2\xa7 controls over the upper limit of a dollar amount that can be entered\n             for each transaction are inadequate.\n\n\n\n                                        1\n\x0c         U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                      DOLAR$ Application Review\n\n\nTo improve controls over the DOLAR$ application, we recommend the CFO:\n   \xc2\xa7 develop or modify policies and procedures in the areas of access controls\n      and the recertification process;\n   \xc2\xa7 utilize the DOLAR$ User Class/profile to administer access controls;\n   \xc2\xa7 implement an automated password management;\n   \xc2\xa7 increase the controls of the current manual monitoring effort;\n   \xc2\xa7 review and disable transaction codes to limit potential security\n      vulnerabilities;\n   \xc2\xa7 add additional audit trail information;\n   \xc2\xa7 review Vendor Maintenance Table access for business need;\n   \xc2\xa7 implement periodic reviews to identify and remove duplicative, inactive\n      and unauthorized vendors; and\n   \xc2\xa7 implement controls over the upper limit of a dollar amount that can be\n      entered for each transaction.\n\nIn response to the draft report, the Acting CFO agreed to develop or modify\npolicies and procedures in the areas of access controls and the recertification\nprocess and to implement an automated password management. However, the\nActing CFO stated that the current system of assigning and controlling access\nprovided the \xe2\x80\x9cgranularity\xe2\x80\x9c needed to meet the Department\xe2\x80\x99s business need.\n\nThe Acting CFO generally disagreed with the conditions and/or the\nrecommendations dealing with the application functionality. In regards to the\naudit trails, the Acting CFO states that some of DOLAR$ processes now have\nsufficient audit trails, since they have implemented the recommendation to\ndisable the \xe2\x80\x9cTLCC\xe2\x80\x9d transaction code. The Acting CFO disagreed with the\nfinding that a weakness exists in the current access levels to Vendor Maintenance\nTable. The Acting CFO also disagreed with the recommendation to review and\nplace reasonable limits on the amount field as it would hinder DOL\xe2\x80\x99s ability to\nprocess timely and efficient payments and transactions.\n\nThe OIG was not provided any additional information to change or modify its\nposition on the finding and recommendations presented in this report. We\ncommend the Office of the Chief Financial Officer (OCFO) for the actions that\nhave been taken to resolve some of these issues. We will continue to work with\nthe OCFO to resolve those issues on which we currently disagree.\n\n\n\n\n                                        2\n\x0c         U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                      DOLAR$ Application Review\n\n\n\n                                 Background\nThis audit was conducted in support of the mandatory audit of DOL\xe2\x80\x99s\nConsolidated Financial Statements, as required by the Chief Financial Officers\nAct of 1990 (CFO Act) (P.L. 101-576). Office of Management and Budget Bulletin\nNo. 98-08, establishes that when conducting the financial statement audit, the\nauditor shall obtain an understanding of the components of internal control and\nassess the level of control risk relevant to the assertions embodied in the classes\nof transactions, account balances, and disclosure components of the financial\nstatements. Such controls include relevant EDP general and application controls.\n\nThe OCFO produces the consolidated financial statements for the Department of\nLabor. The OCFO has implemented a centralized core accounting system called\nthe Department of Labor Accounting and Related Systems (DOLAR$). DOLAR$\nis comprised of the core system with feeder systems and subsystems providing\nadditional data for processing. These feeder systems provide data from agencies\nmanaging their own financial data and other Federal agencies. The subsystem of\nDOLAR$ includes Accounts Payable, Accounts Receivable, Travel, etc.\n\n\n\n\n                                        3\n\x0c          U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                       DOLAR$ Application Review\n\n\n\n                   Objective, Scope and Methodology\nThe Office of Inspector General (OIG) conducted a review of the automated\ncontrols over the Department of Labor Accounting and Related Systems\n(DOLAR$) application. The objective of our work was to review the critical\napplication controls of the DOLAR$ application, in an effort to minimize the\nDepartment\xe2\x80\x99s risk associated with DOLAR$. The objective did not include\nrendering an opinion on the overall internal controls of DOLAR$.\n\nWe performed this review during the period of February 19, 2001 to April 6,\n2001. Our testing covered those controls directly associated with the automated\nDOLAR$ application. We did not test any manual accounting controls that could\npotentially mitigate or impact the risks associated with weaknesses in the\nautomated system control structure.\n\nThe application control review was developed and the controls tested were\nassessed using Federal guidance and criteria, consisting of:\n\n\xc2\xa7   DOL\xe2\x80\x99s Computer Security Handbook\n\xc2\xa7   National Institute of Standards and Technology Special Publication 800-18\n    Guide for Developing Security Plan for Information Technology Systems\n\xc2\xa7   National Institute of Standards and Technology 800-12: An Introduction to\n    Computer Security\n\xc2\xa7   National Institute of Standards and Technology SP 800-14 Generally Accepted\n    Principles and Practices for Securing Information Technology Systems\n\xc2\xa7   OMB Circular A-130, Appendix III\n\xc2\xa7   National Institute of Standards and Technology FIPS PUB 73, Guidelines for\n    Security of Computer Applications\n\xc2\xa7   National Institute of Standards and Technology, FIPS PUB 112 Password Usage\n\nOur work was performed in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States.\n\nWe created data flow diagrams (DFDs) for the Core, Accounts Payable and\nAccounts Receivable subsystem of DOLAR$ during the Control Identification\nand Preliminary Assessment Phase. These DFDs documented the critical\nprocesses and location of key computer-related controls. We used this\ninformation to create a matrix for testing and evaluating the specific controls\nidentified.\n\n\n\n\n                                        4\n\x0c          U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                       DOLAR$ Application Review\n\n\nWe conducted testing in five control categories: (1) Access, (2) Input, (3)\nProcessing, (4) Rejection, and (5) Output. The following provides a brief\ndescription of the work completed.\n\nAccess Controls\n\nAccess controls testing assessed how security was implemented at the\napplication level in the areas of user access, general security features of DOLAR$,\nand segregation of duties. There is a total population of 620 DOLAR$ users, with\napproximately 420 users having read-only access and 200 users with update\ncapabilities. We conducted some of the tests using the whole population of 620\nusers. We conducted other tests using a judgmental selection of 23 users to\ndetermine whether or not user access was appropriately granted based upon the\n\xe2\x80\x9cleast privileged\xe2\x80\x9d concept\n\nInput Controls\n\nInput controls testing assessed edits and validations to determine the accuracy,\ncompleteness, and integrity of data being entered via online, batch, and/or\ninterface files from other systems. We conducted testing on a selection of critical\nfields having a financial statement impact or high volume of transactions\nprocessed.\n\nProcessing and Rejection Controls\n\nProcessing and rejection controls were assessed to determine whether\napplication controls in place over the processing of data would preclude or\ndetect the erroneous or unauthorized addition, removal, or alteration of data\nduring processing. In addition, we performed testing of processing controls to\ndetermine whether selected transactions impacting critical management reports\nwere accurately and completely recorded and posted to the general ledger.\nProcess control testing involved mapping transactions, both on-line and batch,\nthrough the application from initial input, processing, and output. Mapping is\nthe process of determining that selected transactions post to the correct general\nledger accounts and critical management reports accurately and completely\nreflect the information that is input and processed by the application.\n\nOn-line transaction testing was based upon a selection of screens or functions\ndeemed critical by the OIG. These screens/functions included the Accounts\nPayable subsystem and critical Core screens (i.e., Generic Entry, Fund Receipt).\nOur determination of testing was based on the frequency and dollar amount of\nDOLAR$ batches received or created. The following batches were tested:\n\n                                         5\n\x0c         U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                      DOLAR$ Application Review\n\n\n\xc2\xa7   PMS/HHS (Payment Maintenance System/Health and Human Services)\n\xc2\xa7   ESA/FECA (Federal Employment Compensation Act)\n\xc2\xa7   Payroll\n\xc2\xa7   UTF/Treasury (Unemployment Trust Fund)\n\nOutput Controls\n\nWe assessed output controls to determine whether information processed by\nDOLAR$ was accurately captured on critical management reports.\n\nComputer Assisted Audit Techniques (CAAT)\n\nThe CAAT testing was based on a file from DOLAR$ containing over 2.2 million\ntransactions that were posted between October 1, 2000 and February 28, 2001.\nThe CAAT testing focused on the following control areas:\n\nAccess Controls\n   \xc2\xa7 User IDs with posted transactions to DOLAR$ during the 5-month period\n   \xc2\xa7 Users with update access without posted transactions to DOLAR$ during\n      the 5-month period\n\nInput Controls\n   \xc2\xa7 Required fields were populated\n   \xc2\xa7 Fields consisted only of valid entries\n\nProcessing Controls\n   \xc2\xa7 Cut-off controls prevented transactions from posting in prior or future\n      periods\n   \xc2\xa7 Transaction codes were only posting to the designated general ledger\n      accounts (this test was performed on selected general ledger accounts and\n      transaction codes).\n\n\n\n\n                                       6\n\x0c         U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                      DOLAR$ Application Review\n\n\n\n                     Findings and Recommendations\n\n1. Security management of DOLAR$ is weakened by a lack of policies and\nprocedures and effective monitoring and maintenance of user accounts.\n\nA. User Account Management\n\n\nWe reviewed User Account Management and found that security management\nwas ineffective in controlling user access rights to the DOLAR$ application.\nSpecifically, we found that:\n\xc2\xa7 policies and procedures for granting and certifying user access rights have\n   not been maintained (Note: this issue was identified and reported as part of\n   the general controls review);\n\xc2\xa7 unrestricted access to critical screens (i.e., Generic Entry, Vendor\n   Maintenance) had been granted to several users;\n\xc2\xa7 users maintain current and active DOLAR$ processing capabilities, but have\n   not recently posted transactions; management level users were able to verify\n   their own access recertification forms;\n\xc2\xa7 several users were assigned to more than one user ID;\n\xc2\xa7 the Security Officer\xe2\x80\x99s user ID and password is shared between the security\n   and backup security officers (Note: the backup security officer also\n   maintained a second user ID); and\n\xc2\xa7 the Security Officer\xe2\x80\x99s user ID was used to process business transactions.\n\nWithout effective controls over the establishment and maintenance of well-\ndefined user classes, access control lists, and assignment of access based upon a\nbusiness need, users may receive processing capabilities for both initiating and\napproving transactions, circumventing the checks and balances of the system. In\naddition, these weaknesses could potentially compromise the financial integrity\nof the general ledger.\n\nRecommendations\n\nWe recommend that the Chief Financial Officer (CFO):\n\n1.    Ensure that the OCFO\xe2\x80\x99s user access policy and procedures are in\n      compliance with the Computer Security Handbook and that the OCFO\'s\n      System Security Plan (SSP) for DOLAR$ contains sufficient policies and\n      procedures governing the authorization, modification, removal,\n\n\n                                        7\n\x0c             U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                          DOLAR$ Application Review\n\n\n         monitoring of access based on the concept of "least privileged," and\n         emergency access. In addition, the DOLAR$ SSP should include specific\n         technical standards (security settings, critical system configuration, etc.).\n         (Note: this is a modified recommendation from the general controls\n         review.)\n\n2.       Create user classes (profiles) based on the user\xe2\x80\x99s job functions and\n         responsibilities. User management and security administration should\n         conduct a review to define a limited number of user classes, based on job\n         title. For each position, the responsibilities, and thus the function codes,\n         should be determined using the \xe2\x80\x9cleast privileged\xe2\x80\x9d concept. (Note: user\n         classes and function codes may need to be created, modified or deleted.)\n         Once the new \xe2\x80\x9cuser access matrix\xe2\x80\x9d has been created, it should be\n         approved by the appropriate level of user management and security\n         administration and included in the SSP. Additionally, all current users\n         should be mapped to the appropriate new user class. See below diagram\n         for example of \xe2\x80\x9cuser access matrix.\xe2\x80\x9d\n\n     Example User Access Matrix\n                                                 Job Description/\n      Region/ Field                                                   Function\n                       User Classes (Profiles)   DOLAR$                          Assigned Staff\n      Office                                                          Code\n                                                 Responsibilities\n      Denver, CO       Accounts       Payable    Invoice Receipt      IR         John S.\n                       Clerk 1                   Invoice Processing   IP         Mary D.\n                                                 Voucher Payment      VP\n\n                       Accounts       Payable    Vendor Maintenance   VM         Bob D.\n                       Supervisor                                                Sue B.\n\n      Washington,      Accounts       Payable    Invoice Receipt      IR         Kevin K.\n      DC               Clerk 1                   Invoice Processing   IP         Regina R.\n                                                 Voucher Payment      VP\n                                                 XXXXX                XX\n                                                 WWWW                 WW\n\n\n3.       Address the recertification process in the DOLAR$ draft SSP and ensure\n         the SSP includes the following:\n         \xc2\xa7 providing guidance to the manager on how to complete the\n            recertification forms;\n         \xc2\xa7 defining the frequency of the recertification (at least annually);\n         \xc2\xa7 identifying the signing authorities;\n         \xc2\xa7 determining user statistics (types of transactions users process, date\n            the user ID was last used, interval of time between last password\n            change, etc.);\n         \xc2\xa7 identifying and removing duplicate user IDs; and\n         \xc2\xa7 defining the Security Officer\xe2\x80\x99s and the back-up Security Officer\'s roles\n            and responsibilities to clearly restrict the Security Officers\xe2\x80\x99 ability to\n\n                                                        8\n\x0c          U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                       DOLAR$ Application Review\n\n\n          perform business transactions. Unique user IDs and passwords should\n          be established for accountability between the two positions,\n          eliminating the sharing of the Security Officer\xe2\x80\x99s user ID.\n\nManagement\xe2\x80\x99s Response\n\nThe DOLAR$ SSP will be updated to incorporate: (1) policy and procedures for\ngranting and certifying user access rights; (2) guidelines for monitoring and\nmanaging inactive IDs; and (3) guidelines for issuing multiple user IDs to\nindividual users.\n\nThe OCFO has completed a review of the small percentage of users with access\nto the Generic Entry and the Vendor Maintenance screens and has determined\nthat their level of access is consistent with their level of financial authority and\nresponsibility, and is reinforced by the application of TC-Rules appropriate to\neach individual position. Access to these screens is greatly limited. To do away\nwith this capability would impede the DOL\xe2\x80\x99s ability to carry out efficiently and\neffectively its financial management functions.\n\nThe observation that \xe2\x80\x9cseveral\xe2\x80\x9d users were assigned multiple user IDs is both\nunclear and inaccurate. Because of dual-period processing, DOLAR$ requires\nthat user IDs be set up for the accounts payable portion of a user\xe2\x80\x99s access though\na user can not also sign into DOLAR$ with that \xe2\x80\x9csecond\xe2\x80\x9d user ID. Its use is\nstrictly for posting from the accounts payable batch process. During the review\nperiod, there was only one legitimate update-capable user who had two separate\nuser IDs. The OCFO can provide more detail on that user\xe2\x80\x99s need if necessary.\n\nThe recertification process will be modified to preclude management level users\xe2\x80\x99\nability to verify their own recertification forms.\n\nThe Security Officer and the Back-up Security Officer do not maintain a second\nsecurity ID. The Security Officer\xe2\x80\x99s ID had been but is no longer used to process\nbusiness transactions. To accommodate the system requirement that the Security\nOfficer and the Back-up Security Officer have joint use of the security user ID,\nthe DOLAR$ SSP will include procedures that require the control and\nmodification of the Security Officer\xe2\x80\x99s user ID and password.\n\nThe OCFO disagrees with the recommendation to implement a new \xe2\x80\x9cuser access\nmatrix\xe2\x80\x9d using the \xe2\x80\x9cleast privileged concept.\xe2\x80\x9d The OCFO believes that the\nDOLAR$ TC-Rule provides adequate granularity. The TC-Rule defines each\nuser\xe2\x80\x99s access to each DOLAR$ screen by Action Code, Document Type and\nTransaction Code. The TC-Rule permits a customized approach to system access\n\n                                          9\n\x0c          U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                       DOLAR$ Application Review\n\n\nand internal controls based on a Servicing Finance Office\xe2\x80\x99s needs, staffing, and\nfunctions.\n\nOIG\xe2\x80\x99s Conclusion\n\nWe concur with the OCFO\xe2\x80\x99s planned action to update the SSP to better address\nsecurity.\n\nWe disagree with the OCFO that the current system of assigning authority\nprovides adequate granularity. The appropriate use of user classes (profiles)\nhelps to minimize the risks in user and access management. Additionally,\nduring our review OCFO personnel noted that over the years, different security\nofficers have \xe2\x80\x9ccreated additional user classes out of convenience and not\nnecessity.\xe2\x80\x9d\n\nWe concur with the OCFO\xe2\x80\x99s planned action to modify the recertification process\nand update the SSP to include the new process and procedures.\n\nWe agree with the OCFO that the Security Officer and the Back-Up Security\nOfficer are sharing one user ID to perform this function. However, it is noted\nthat the OCFO will be addressing this weakness with additional policies and\nprocedures in the SSP. The OIG will review the policies and procedures when\nthey are developed to evaluate whether this action will mitigate the identified\nweakness.\n\nThe three recommendations are all unresolved. The actions noted for\nRecommendation 1, regarding the update of User Access in the SSP, will resolve\nthe recommendation; however, the CFO needs to provide a timeframe for\nimplementation. Resolution of Recommendation 2, regarding the correct use of\nuser classes (profiles) for assigning access, will require the CFO to implement the\nuser class security feature of DOLAR$. The actions notes for Recommendation 3,\nregarding the recertification process, will resolve the recommendation; however,\nthe CFO needs to provide a timeframe for implementation.\n\nB. Technical Controls\nWe found that technical controls, designed to automatically control password\nmaintenance were not utilized and do not provide base-line security over the\nDOLAR$ general ledger. Specifically, we found that:\n\n\xc2\xa7   Controls designed to ensure that users were changing their passwords on a\n    regular interval were not effective. Our testing revealed that 36 percent of the\n\n\n                                         10\n\x0c         U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                      DOLAR$ Application Review\n\n\n    DOLAR$ users had not changed their default passwords or were not\n    changing their passwords regularly. (Note: the DOLAR$ applications\n    operates on an IDMS database that does not force password change intervals.\n    This issue was documented as part of the general controls review.)\n\xc2\xa7 The default password is easy to guess and widely known among the user\n    community.\n\xc2\xa7 Passwords associated with sensitive user IDs (i.e., Chief System\n    Administrator, Security Officer) have not been regularly changed.\nUnauthorized users could access the system using a default password. System\nsecurity passwords that are not adequately protected or monitored can be used\nto circumvent controls and access critical processing and system management\ncapabilities. Unauthorized access could compromise the integrity of the system\nand the financial data processing.\n\nRecommendations\n\nWe recommend that the CFO:\n\n4.    Continue efforts to implement automated password parameter features\n      (e.g., password expiration intervals, stronger password composition,\n      lockout features, etc.). In addition, until an automated feature can be\n      found to strengthen password controls, the manual control currently\n      performed by the security group should be enhanced and enforced.\n\n5.    Create and implement to all DOLAR$ users, a password policy, that\n      complies with the CIO\'s Computer Security Handbook. The policy\n      should, at a minimum:\n      \xc2\xa7 state the password composition rules and password change interval\n         (every 30 days);\n      \xc2\xa7 inform the user community that reviews will be conducted to enforce\n         the policy; and\n      \xc2\xa7 clearly state that noncompliance with the policy will be considered a\n         violation resulting in the inactivation of the user ID.\n\nThe DOLAR$ security group should conduct monthly reviews to enforce the\npolicy. Noncompliance with the policy should be considered a violation,\ndocumented as such and result in inactivation of the user ID. In addition, the\nOCFO should research a mechanism of sending global messages to remind users\nlogging onto the system to change their passwords regularly.\n\n\n\n\n                                      11\n\x0c          U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                       DOLAR$ Application Review\n\n\nManagement\xe2\x80\x99s Response\n\nThe OCFO will implement the automated password parameter features as\nplanned. Until then, the OCFO will continue to improve upon methods of:\n(1) informing individuals with user IDs of the password composition rules;\n(2) reviewing monthly reports that reflect the frequency of changes to passwords;\nand (3) deactivating those user IDs belonging to users who fail to change their\ndefault password.\n\nOIG\xe2\x80\x99s Conclusion\n\nWe concur with the OCFO\xe2\x80\x99s planned action to implement automated password\nfeatures. With the lack of the automated features, we urge the OCFO to quickly\nimplement the recommendation to enhance and enforce the current manual\ncontrols for password maintenance. Recommendation 4 is unresolved;\nresolution is dependant on the OCFO providing the timeframe for\nimplementation of an automated password control feature. Recommendation 5\nis unresolved pending a plan to implement the stronger manuals controls\noutlined by the OCFO in its response.\n\n2. The accuracy, completeness and integrity of the information processed and\nstored by the DOLAR$ application is weakened by inadequate application\nfunctionality.\n\nA. Application Audit Trails\nWe found two instances of ineffective audit trails for the DOLAR$ application.\nFirst, the edit history for all transactions maintains only the prior editor\xe2\x80\x99s user ID.\nWithout an adequate audit trail, a user could potentially validate a payable\nentered by that user. This increases the risk that improperly authorized\ntransactions could be processed and paid. The accountability over changes are\ndiminished when only one user ID is associated with a transaction.\n\nSecond, DOLAR$ does not maintain a history of the changes performed using\nthe \xe2\x80\x9cTLCC\xe2\x80\x9d transaction code. This code allows changes to specific fields (i.e.,\nALC, schedule number, and invoice number) already posted. The changes\noverwrite the original record and create two identical records.\n\nThe DOLAR$ system limitation of only maintaining a limited audit trail could\nminimize DOL\xe2\x80\x99s ability to identify changes made to processed transactions. This\nweakness becomes more significant when considered with the weaknesses\n\n\n\n                                          12\n\x0c         U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                      DOLAR$ Application Review\n\n\nassociated with user account management and vendor table maintenance and\nexcessive access.\n\nRecommendations\n\nWe recommend the CFO:\n\n6.    Implement additional controls to capture at least two user IDs for critical\n      processing functions to force segregation of duties.\n\n7.    Disable the \xe2\x80\x9cTLCC\xe2\x80\x9d transaction code (TC).\n\n8.    Perform a review of all TCs to ensure a business need exists and to ensure\n      that the TCs do not expose the Department to potential security\n      vulnerabilities.\n\nManagement\xe2\x80\x99s Response\n\nThe statement that "DOLAR$ maintains only the prior editor\'s user ID,\xe2\x80\x9d while\naccurate for invoice processing, is not accurate for DOLAR$ transaction\nprocessing. DOLAR$ only requires a single user ID for core transactions as\nchanges to those transactions are not allowed now that the TLCC has been\nremoved. The OCFO will review the invoice processing to determine how best\nto maintain the initial user (control number identifier) as well as a second user\nwho might modify the record.\n\nThe OCFO will establish appropriate internal controls necessary to address\nOIG\xe2\x80\x99s recommendation to implement additional controls to capture at least two\nuser IDs for critical processing functions, approval of payments, etc., to force\nsegregation of duties.\n\nThe OCFO believes that the auditors failed to test the "Transaction Correct\n(TLCC) code. While changes via the TLCC code are not identifiable to the\nnormal user, the information is maintained on the 650-byte transaction ledger\nrecord and can be accessed by an on-line query (OLQ). Nevertheless, the OCFO\nhas disabled this process and requires the user to reverse the incorrect entry and\nto re-post the corrected entry.\n\nThe audit report does not include an associated finding that warrants the third\nrecommendation to perform a review of all TCs. What is the basis for the\nrecommendation?\n\n\n                                        13\n\x0c         U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                      DOLAR$ Application Review\n\n\nOIG\xe2\x80\x99s Conclusion\n\nThe actions taken on our recommendation to remove the \xe2\x80\x9cTLCC\xe2\x80\x9d transaction\ncode has partially resolved the recommendation to implement controls to\ncapture additional information on critical processing and payment functions.\nHowever, the OCFO still needs to establish controls to capture information to\nenforce segregation of duties and ensure accountability. Recommendation 6 is\nunresolved. To resolve this issue, the OCFO needs to provide a plan including\ntimeframes for establishing and implementing the controls.\n\nWe agree with the action of the OCFO to disable the \xe2\x80\x9cTLCC\xe2\x80\x9d transaction code.\nRecommendation 7 is resolved and open. Closure is dependent on the results of\ntesting to be conducted as part of the FY 2002 financial statement work. We have\nasked the financial statement auditors to provide information on the use of the\n\xe2\x80\x9cTLCC\xe2\x80\x9d transaction code.\n\nWe disagree with the OCFO about the need to perform a review of all TCs for\nbusiness need and security. The \xe2\x80\x9cTLCC\xe2\x80\x9d transaction code allowed changes to\nrecords circumventing controls; the OCFO should have an interest in ensuring\nthat other TCs do not open up the Department for additional unnecessary risks.\nRecommendation 8 is unresolved. In order to resolve this recommendation, the\nOCFO needs to address this as a security risk and take appropriate measures to\nensure that this risk is minimized to the greatest extent possible by reviewing the\ntransaction codes.\n\nB. Vendor Maintenance\nWe found that a large percentage (50%) of DOLAR$ users have vendor update\nprocessing capability through the Vendor Maintenance Table. In addition to\nthese users, the DOLAR$ application allows users with processing capability in\nthe A/P subsystem to also add new or change existing vendor information.\nInadequate controls over the vendor table increase the risk of duplicate\npayments, payments to unauthorized vendors or persons, and inactivating\nauthorized vendors leading to delays in payments. In addition, vendor table\ninformation can be added or modified without the controls of the Vendor\nMaintenance Table. The ability to enter vendor information outside of the\nVendor Maintenance Table increases the difficulty of managing authorized\nvendors.\n\n\n\n\n                                        14\n\x0c         U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                      DOLAR$ Application Review\n\n\n\nRecommendations\n\nWe recommend the CFO:\n\n9.    Immediately conduct a review of all individuals having access to the\n      Vendor Maintenance Table. The ability to add, modify, and/or delete\n      information from the vendor maintenance table should be considered a\n      critical function within DOLAR$ and access should be restricted to a\n      tightly controlled group.\n\n10.   Restrict the ability to update the vender table from the A/P subsystem.\n\n11.   Immediately conduct a review of the vendor table to identify and remove\n      duplicate, inactive, and unauthorized vendors. Once completed, the\n      OCFO should conduct periodic reviews of the vendor maintenance table.\n\nManagement\xe2\x80\x99s Response\n\nThe OCFO disagrees with two findings in this area. While fifty percent of\nDOLAR$ user have access to the critical screen in the database, a far lower\npercentage of those users have update capabilities on that screen. DOLAR$ TC-\nRule limits that ability. Secondly, while a vendor record can be created on the\nInvoice Register screen, that vendor is created as "inactive" and must be activated\nby a user that has update access to the Vendor Maintenance screen before an\ninvoice is processed for payment. We see no "weaknesses" in that process.\n\nThe OCFO has been and will continue to (1) review the vendor table to identify\nand remove duplicate vendors and (2) annually archive inactive vendors.\n\nThe OCFO has completed a review of the current users that have update\ncapability to the Vendor Maintenance Table. As a result of this review, it was\ndetermined that this access by a limited number of users is required to\naccommodate the business need of each of DOL\xe2\x80\x99s servicing finance offices. The\nOCFO will establish the appropriate internal controls necessary to resolve this\nissue.\n\nOIG\xe2\x80\x99s Conclusion\n\nWe disagree with the OCFO that a limited number of users had access to the\nvendor maintenance function. Our review showed that over 100 users had\n\xe2\x80\x9cUpdate\xe2\x80\x9d capability for the Vendor Maintenance Table. The OIG also maintains\n\n                                        15\n\x0c          U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                       DOLAR$ Application Review\n\n\nthat this \xe2\x80\x9climited number\xe2\x80\x9d of users required to accommodate the business need\nis excessive and increases the risk of fraudulent payments. Recommendation 9 is\nunresolved. To resolve this recommendation, the OCFO needs to provide a\ndetailed risk assessment defining the business need of the \xe2\x80\x9climited number.\xe2\x80\x9d\n\nWe disagree with the OCFO\xe2\x80\x99s position that the current ability to update the\nvendor table from the A/P subsystem is not a weakness. The OIG understands\nthat when a vendor is created in the Invoice register screen, the new vendor is\nplaced \xe2\x80\x9cinactive.\xe2\x80\x9d However, the controls implemented in the Vendor\nMaintenance Table are effectively bypassed when not created using the Vendor\nMaintenance Screen, thus increasing the risk that improper payments could be\nissued and increasing the difficulty in managing the vendor table.\nRecommendation 10 is unresolved. To resolve this recommendation, the OCFO\nneeds to develop controls to limit vendor creation outside of the Vendor\nMaintenance process.\n\nThe OCFO has stated \xe2\x80\x9cThe OCFO has been and will continue to (1) review the\nvendor table to identify and remove duplicate vendors and (2) annually archive\ninactive vendors.\xe2\x80\x9d Documentation or information has never been presented to\nvalidate this assertion. Recommendation 11 is unresolved. To resolve this\nrecommendation the OCFO needs to provide documentation that demonstrates\nthe reviews have occurred.\n\nC. Prior Month Posting Observation\nWe found that user and system flags regulating prior period postings in\nDOLAR$ are not adequately controlling user capabilities. Users are able to post\nprior month transactions (excluding cash) if the system flag in the DOLAR$\nManager Table is set to Y (es) (allowing prior month transactions), regardless of\nwhether or not the user\xe2\x80\x99s flag is set to Yes or No. Therefore, any user can post to\na prior month when the prior period flag is set to Y.\n\nUnauthorized users may post a transaction to a prior month, potentially causing\naccounting errors and impacting the integrity of financial reporting.\n\nThe prior month flag is functioning as designed by management. Although we\nhave concerns over the ability of unauthorized users to post erroneous prior\nmonth transactions, due to the financial accounting impact of this observation,\nwe have referred this issue to OIG\xe2\x80\x99s financial auditors for further review.\n\n\n\n\n                                        16\n\x0c          U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                       DOLAR$ Application Review\n\n\nManagement\xe2\x80\x99s Response\n\nThe OCFO has revised its dual-month processing capabilities to ensure that only\nthose users that have the appropriate authority are allowed to post against the\nprior accounting period. The prior-month authority now mirrors the system\xe2\x80\x99s\nprior-year authority.\n\nOIG\xe2\x80\x99s Conclusion\n\nThe OIG has disclosed the information to the independent financial auditors for\nreview. The OIG has provided the Management\xe2\x80\x99s response to the independent\nfinancial auditors as well. As a part of this report, the observation is closed and\nwill not be tracked.\n\nD. Dollar Amount of Transactions\nWe found that controls regulating the dollar amount that can be entered for a\ntransaction are not adequate. The \xe2\x80\x9cAmount\xe2\x80\x9d field allows transactions to be\nentered with a dollar amount as high as $9,999,999,999.99. This control affects\nany transaction processed in DOLAR$ on any screen, notably the generic entry\nscreen. In addition, our tests show that nearly all transactions are for amounts\nless than $25,000, indicating that not all users need the ability to input\ntransactions with high dollar amounts.\n\nThe lack of control on transaction amounts increases the risk to DOL that: (1) an\nindividual wanting to commit fraud could misdirect a considerable amount of\nfunding using only one transaction; and (2) a user could erroneously enter a high\ndollar amount impacting the integrity of the transaction and the associated\nfinancial data supporting the financial statements.\n\nThe following mitigating controls do exist to reduce the effects of the condition;\nhowever, they alone do not provide sufficient control.\n\xc2\xa7 A transaction cannot be processed for any amount greater than what is\n   available to be spent via DOLAR$ Fund Control.\n\xc2\xa7 A user other than the one that processed the transaction must verify all\n   accounts payable transactions prior to disbursement.\n\n\n\n\n                                         17\n\x0c         U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                      DOLAR$ Application Review\n\n\nRecommendation\n\nWe recommend that the CFO:\n\n12.   Perform an assessment regarding how the users across the Department\n      use the amount field in DOLAR$ and determine and implement a\n      reasonable limit on this field.\n\nManagement\xe2\x80\x99s Response\n\nOCFO has determined that limiting the amount field would hinder DOL\xe2\x80\x99s ability\nto process timely and efficiently payments and transactions. In addition to the\nmitigating controls referenced in the finding, the OCFO has other controls, such\nas (1) daily monitoring of the status of funds and (2) daily review of the suspense\nfile, including contacting the appropriate servicing finance office(s) to determine\nthe nature of items on the file.\n\nOIG\xe2\x80\x99s Conclusion\n\nWe do not concur that implementing such controls would necessarily hinder\nDOL\xe2\x80\x99s ability to process payments and transactions timely and efficiently. Two\nalternative methods of accomplishing this control objective include the creation\nof a daily exception report produced for supervisory approval or the requiring of\nsupervisory approval prior to processing of the transaction. Either of these or\nboth would provide reasonable assurance that the transaction was accurate and\nauthorized, without hindering DOL\xe2\x80\x99s ability to process payment and\ntransactions in a timely and efficiently manner. Recommendation 12 is\nunresolved. To resolve this recommendation, the OCFO needs to provide the\nOIG with a formal risk assessment showing the OCFO has reviewed the risk and\naccepts it or implements the recommendation.\n\n\n\n\n                                        18\n\x0c      U.S Department of Labor\xe2\x80\x94Office of Chief Financial Officer\n                   DOLAR$ Application Review\n\n\n\n                            Acronyms\n\n\nA/P              Accounts Payable\nCAAT             Computer Assisted Auditing Techniques\nCFO              Chief Financial Officer\nCIO              Chief Information Officer\nDFD              Data Flow Diagrams\nDOL              Department of Labor\nDOLAR$           Department of Labor Accounting and Related Systems\nESA/FECA         ESA\xe2\x80\x99s Federal Employees\xe2\x80\x99 Compensation Act\nNIST             National Institute of Standards and Technology\nOCFO             Office of the Chief Financial Officer\nOIG              Office of Inspector General\nOMB              Office of Management and Budget\nPMS/HHS          Payment Maintenance System/Health and Human Services\nSSP              System Security Plan\nTC               Transaction Code\nUTF              Unemployment Trust Fund\n\n\n\n\n                                 19\n\x0c'